CIOs say SaaS compliance is a two-way street

17 August 2015

We’ll ensure we don’t break contract terms, but providers must better meet our needs in terms of simplicity and flexibility, say IT bosses

For the best part of a decade, the IT industry has been increasingly pushing the software-as-a-service (SaaS) model as a way for organisations to reduce the cost and complexity of traditional software licensing.

CIOs were encouraged to believe SaaS would bring to an end the growing number of compliance audits imposed by suppliers and give them more flexibility to deploy and use applications as and when needed. Plenty were sceptical - with good reason, it seems.

A report last year from the Business Software Alliance (BSA), the software industry’s leading anti-piracy lobby group, warned there are plenty of compliance pitfalls for those using SaaS (see box).

The focus of the report was on the need for firms to deploy effective software asset management measures, an umbrella term for all the processes and tools an organisation needs to have in place to ensure they remain compliant with the licensing and contractual terms imposed by their software (including SaaS) providers.

Ian Cohen, formerly group CIO of financial services firm Jardine Lloyd Thompson, says: "Many think that because a solution is 'as a service' or multi-tenant, it is somehow okay to behave poorly. Sharing ID’s has always been an issue and even though there are various access management solutions out there, the bottom line is that there is an obligation on an organisation to promote good behaviour and quickly jump on any inappropriate activities."

For most experienced CIOs in large organisations, though, ensuring compliance with software licensing terms is simply standard practice, SaaS or otherwise. Myron Hrycyk, until recently group CIO at Severn Trent Water, says: "I’ve always had in place strong internal audit processes and controls to ensure people don’t misuse logins, be that for on-premise software, internal security purposes or logging on to cloud services. There is a responsibility on clients to have the right level of controls."

And that, Hrycyk points out, isn’t just about deploying appropriate tools. "It has to go beyond a purely technical IT audit. You need training in place for user teams, as well as management checks and processes, because you can’t look over everybody’s shoulder all the time," he says.

Yet while blue-chip CIOs are in agreement about the need for effective processes and controls to prevent falling foul of SaaS compliance issues, many are also irritated by the software industry’s apparent hectoring of customers, particularly since in many cases the suppliers' SaaS contracts and licensing agreements don’t offer businesses the kind of flexibility they need, or thought they were going to get.

Key SaaS compliance pitfalls

The BSA’s 2014 report Navigating the cloud identified five key compliance worries for organisations using SaaS:

Breaking restrictions on giving access to non‑employees or affiliated entities.

Ignoring terms that prevent users providing information generated from the SaaS system to others not paying the subscription fee.

The report goes on to note that some SaaS providers are introducing analytics systems to monitor usage patterns for signs of unauthorised use to flag up likely offenders for investigation. It cautions that SaaS users must ensure they have appropriate software asset management tools and processes to ensure they remain compliant with the contractual terms of their SaaS providers.

Former Irish government CIO – and before that UK government deputy CIO – Bill McCluggage has been instrumental in promoting the use of SaaS and cloud services in the public sector. Now running his own CIO advisory service, Laganview Associates, he says: "I know from government’s perspective, they’re increasingly frustrated by vendors trying to squeeze ever more money out of them for services on which they’re already making margins of 80%. A lot of bigger vendors are coming in to audit customers simply because they know they’ll be able to recover additional revenue, and I think that’s unreasonable. When somebody provides you with a rental car, they don’t come in and say, 'We want to make sure you only have one passenger not three, so we’ll audit you and charge you extra if you carry more people'. They charge you on the basis of hiring that vehicle. Similarly, many SaaS providers need to simplify their contractual terms and give customers the flexibility to use the software how they need, at as low a cost as possible."

Maturing market

On the positive side, the market is growing and maturing, and not all SaaS providers are so inflexible with their terms. Hrycyk says: "The contractual structures providers are putting together are becoming increasingly mature and flexible, particularly among the smaller suppliers. For example, they're beginning to set up contracts that align to business metrics, which is very helpful if you’re looking for models that will flex up and down. For instance, a SaaS billing engine I put in place at Severn Trent was structured so that if the number of supply points went up, the pricing went down.

"I’ve seen those models coming through in other sectors I’ve worked in, too – for instance, basing the price on the number of sites you’re running or the volume of product passing through a supply chain. So there are some good opportunities for CIOs to be more imaginative when they’re trying to set these contracts up."

But he still thinks SaaS suppliers need to do more to more to move to a model of lower-cost subscriptions with greater flexibility: "We’re still coming from a world where you had licence fees and annuity streams. Of course, the suppliers still need a level of commitment from a customer – and there’s no sign of them offering pure 'pay as you go' yet – but they certainly need to flex more."

Ian Cohen agrees. "Too many providers are just re-badging old annual licence models as annual subscriptions and that was never the point of moving to a pay-per-use model – at least not from the buyer’s perspective."

And, like Hrycyk, Cohen sees that the maturing SaaS market affords CIOs the option to be more choosy about (and demanding of) their suppliers. "It's becoming easier to find alternatives and negotiate because there are so many options out there, even by going open source. However, many of the bigger SaaS providers still believe their own hype and that can make things difficult – particularly for smaller companies. Unfortunately, the challenge is as much inside the buying organisations, since many procurement functions often still feel more comfortable negotiating big, old-fashioned deals because that’s what they’re used to.

'Software vendor beware'

Former group CIO of the Highways Agency Ian Campbell, who is currently working for a US bank, finds the online sign-up and monthly billing of the typical SaaS model a far simpler way to consume software than in the past. But he too agrees that CIOs need to negotiate with SaaS suppliers upfront to secure the most mutually beneficial contract. "We all know there’s a list price and what you’re able to negotiate in terms of discounts and flexibility depends on who you are. But no one should just accept the standard terms without question. We’ve never been penalised for breaking SaaS contract terms, but providers can be tricky and people have to watch out," he says.

Something CIOs should be particularly vigilant over when negotiating SaaS terms, advises Hrycyk, is ensuring contracts can be moved across to another entity without renegotiation in the event of a merger or acquisition. "That’s often overlooked with SaaS, and then the new owner may be contractually obliged to purchase an entirely new subscription," he warns.

Ultimately, though, the SaaS suppliers that refuse to be flexible may end up the losers, suggests McCluggage. "To me the most interesting perspective in all this is how the market for consumable SaaS – things like the Apple App Store, where you pay a small one-off fee or modest subscription for unlimited use of an app – will affect the future of the corporate model. The SaaS market is constantly evolving, and it shouldn’t really be 'buyer beware' as much as 'software vendor beware'," he says.